informa
Slideshow

7 Tips for Communicating with the Board

The key? Rather than getting bogged down in the technical details, focus on how a security program is addressing business risk.
1. Use Metrics That Relate to Business Objectives
2. Map Metrics to a Security Framework
3. Quantify Risk by Business Unit
4. Don't Resort to FUD
5. Highlight Compliance Issues
6. Emphasize the Legal Consequences of Cybersecurity Failures
7. Don't Surprise the Board
1/7

CISOs and other security leaders are under growing pressure to improve how they communicate with boards of directors.

Cybersecurity has become a board-level issue in many organizations amid growing concerns over the regulatory, financial, and reputational implications of data breaches and security failures. In fact, Gartner expects that by 2020, 100% of large organizations will be asked to report to their boards at least once annually on cybersecurity risk — up from the 40% that are required to do so currently.

That means security leaders will need to overcome their traditional communication challenges and find new and better ways to convey technology risk.

Ensuring board awareness about key metrics of cybersecurity programs has become critically important, says Greg Reber, partner at Moss Adams, a Seattle-based accounting, consulting, and wealth management firm. Board members need to be able to track not just cybersecurity events and actions, but also new and emerging threats. They also require a continuous assessment of how a program is doing, along with a road map of cybersecurity-related projects and their goals, Reber says.

"Cybersecurity is a relatively new risk but aligns very directly within traditional BoD oversight duties," he notes.

Here are the key steps for effectively communicating with the board.

 
Next slide
Recommended Reading: